Uma Avaliação de Desempenho de Segurança Definida por Software através de Cadeias de Funções de Rede
Resumo
A Virtualização de Funções de Rede (Network Function Virtualization – NFV) possibilita o provisionamento e a composição sob demanda de uma cadeia de função de rede criada sob medida para atender requisitos de uma aplicação ou serviço. Esta funcionalidade é necessária para prover segurança de redes empresariais e infraestruturas críticas que dependem de processamento no núcleo da rede. Este artigo propõe e desenvolve funções virtuais de segurança de rede e avalia seus desempenhos na plataforma aberta para funções virtuais de rede, denominada OPNFV. Um protótipo usando a tecnologia de redes definidas por software e compatível com o protocolo Network Service Header foi projetado e desenvolvido. O protótipo realiza o encadeamento inteligente de um sistema de detecção e prevenção de intrusão com um firewall e apresenta alta flexibilidade sem comprometer o atraso fim-a-fim.Referências
Andreoni Lopez, M., Lobato, A. G. P., Mattos, D. M. F., Alvarenga, I. D., Duarte, O. C. M. B., and Pujolle, G. (2017). Um Algoritmo Não Supervisionado e Rápido para Seleção de Características em Classificação de Tráfego. In SBRC’2017, Belém/PA.
Andreoni Lopez, M., Mattos, D. M. F., and Duarte, O. C. M. B. (2016). Evaluating allocation heuristics for an efficient virtual network function chaining. In 7th International Conference on the Network of the Future (NoF), pages 1–5.
Bonafiglia, R., Cerrato, I., Ciaccia, F., Nemirovsky, M., and Risso, F. (2015). Assessing the performance of virtualization technologies for NFV: A preliminary benchmarking. In 2015 Fourth European Workshop on Software Defined Networks, pages 67–72.
Callegati, F., Cerroni,W., Contoli, C., and Santandrea, G. (2014). Performance of network virtualization in cloud computing infrastructures: The openstack case. In IEEE 3rd International Conference on Cloud Networking (CloudNet), pages 132–137.
Callegati, F., Cerroni, W., Contoli, C., and Santandrea, G. (2015). Dynamic chaining of virtual network functions in cloud-based edge networks. In 1st IEEE Conference on Network Softwarization (NetSoft), pages 1–5.
Csoma, A., Sonkoly, B., Csikor, L., Németh, F., Gulyas, A., Tavernier, W., and Sahhaf, S. (2014). ESCAPE: Extensible service chain prototyping environment using Mininet, Click, NETCONF and POX. In ACM Conference on SIGCOMM, SIGCOMM ’14, pages 125–126, New York, NY, USA. ACM.
Emmerich, P., Raumer, D., Wohlfart, F., and Carle, G. (2014). Performance characteristics of virtual switching. In IEEE 3rd International Conference on Cloud Networking (CloudNet), pages 120–125.
ETSI (2014). ETSI GS NFV-MAN 001: Network functions virtualisation; management and orchestration. Technical report.
Fayazbakhsh, S. K., Sekar, V., Yu, M., and Mogul, J. C. (2013). Flowtags: Enforcing network-wide policies in the presence of dynamic middlebox actions. In II ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN ’13, pages 19–24, New York, NY, USA. ACM.
Halpern, J. and Pignataro, C. (2015). Service Function Chaining (SFC) architecture. RFC 7665, RFC Editor. http://www.rfc-editor.org/rfc/rfc7665.txt.
Han, B., Gopalakrishnan, V., Ji, L., and Lee, S. (2015). Network function virtualization: Challenges and opportunities for innovations. IEEE Communications Magazine, 53(2):90–97.
Kulkarni, S., Arumaithurai, M., Ramakrishnan, K. K., and Fu, X. (2017). Neo-NSH: Towards scalable and efficient dynamic service function chaining of elastic network functions. In 20th Conference on Innovations in Clouds, Internet and Networks (ICIN), pages 308–312.
Luizelli, M. C., Bays, L. R., Buriol, L. S., Barcellos, M. P., and Gaspary, L. P. (2015). Piecing together the NFV provisioning puzzle: Efficient placement and chaining of virtual network functions. In IFIP/IEEE International Symposium on Integrated Network Management (IM), pages 98–106.
Luizelli, M. C., Raz, D., Sa’ar, Y., and Yallouz, J. (2017). The actual cost of software switching for nfv chaining. In 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pages 335–343.
Marz, N. and Warren, J. (2013). Big Data: Principles and Best Practices of Scalable Realtime Data Systems. Manning Publications Co., Greenwich, CT, USA, 1st edition.
Mattos, D. M. F. and Duarte, O. C. M. B. (2016). Authflow: authentication and access control mechanism for software defined networking. Annals of Telecommunications, 71(11):607–615.
Medhat, A. M., Taleb, T., Elmangoush, A., Carella, G. A., Covaci, S., and Magedanz, T. (2017). Service function chaining in next generation networks: State of the art and research challenges. IEEE Communications Magazine, 55(2):216–223.
Panda, A., Han, S., Jang, K.,Walls, M., Ratnasamy, S., and Shenker, S. (2016). Netbricks: Taking the v out of NFV. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI’16), pages 203–216. USENIX Association.
Pattaranantakul, M., He, R., Meddahi, A., and Zhang, Z. (2016). SecMANO: Towards network functions virtualization (nfv) based security management and orchestration. In IEEE Trustcom/BigDataSE/ISPA, pages 598–605.
Quinn, P. and Elzur, U. (2017). Network service header. Internet-Draft draft-ietfsfc- nsh-12, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-sfc-nsh-12.txt.
Quinn, P. and Nadeau, T. (2015). Problem statement for service function chaining. RFC 7498, RFC Editor. http://www.rfc-editor.org/rfc/rfc7498.txt.
Reynaud, F., Aguessy, F. X., Bettan, O., Bouet, M., and Conan, V. (2016). Attacks against network functions virtualization and software-defined networking: State-of-the-art. In IEEE NetSoft Conference and Workshops (NetSoft), pages 471–476.
Rosa, R., Siqueira, M., Barea, E., Marcondes, C., and Rothenberg, C. (2014). Network function virtualization: Perspectivas, realidades e desafios. In Minicursos do XXX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos - SBRC 2014.
Zhang, Y., Beheshti, N., Beliveau, L., Lefebvre, G., Manghirmalani, R., Mishra, R., Patneyt, R., Shirazipour, M., Subrahmaniam, R., Truchan, C., and Tatipamula, M. (2013). Steering: A software-defined networking for inline service chaining. In 2013 21st IEEE International Conference on Network Protocols (ICNP), pages 1–10.
Andreoni Lopez, M., Mattos, D. M. F., and Duarte, O. C. M. B. (2016). Evaluating allocation heuristics for an efficient virtual network function chaining. In 7th International Conference on the Network of the Future (NoF), pages 1–5.
Bonafiglia, R., Cerrato, I., Ciaccia, F., Nemirovsky, M., and Risso, F. (2015). Assessing the performance of virtualization technologies for NFV: A preliminary benchmarking. In 2015 Fourth European Workshop on Software Defined Networks, pages 67–72.
Callegati, F., Cerroni,W., Contoli, C., and Santandrea, G. (2014). Performance of network virtualization in cloud computing infrastructures: The openstack case. In IEEE 3rd International Conference on Cloud Networking (CloudNet), pages 132–137.
Callegati, F., Cerroni, W., Contoli, C., and Santandrea, G. (2015). Dynamic chaining of virtual network functions in cloud-based edge networks. In 1st IEEE Conference on Network Softwarization (NetSoft), pages 1–5.
Csoma, A., Sonkoly, B., Csikor, L., Németh, F., Gulyas, A., Tavernier, W., and Sahhaf, S. (2014). ESCAPE: Extensible service chain prototyping environment using Mininet, Click, NETCONF and POX. In ACM Conference on SIGCOMM, SIGCOMM ’14, pages 125–126, New York, NY, USA. ACM.
Emmerich, P., Raumer, D., Wohlfart, F., and Carle, G. (2014). Performance characteristics of virtual switching. In IEEE 3rd International Conference on Cloud Networking (CloudNet), pages 120–125.
ETSI (2014). ETSI GS NFV-MAN 001: Network functions virtualisation; management and orchestration. Technical report.
Fayazbakhsh, S. K., Sekar, V., Yu, M., and Mogul, J. C. (2013). Flowtags: Enforcing network-wide policies in the presence of dynamic middlebox actions. In II ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN ’13, pages 19–24, New York, NY, USA. ACM.
Halpern, J. and Pignataro, C. (2015). Service Function Chaining (SFC) architecture. RFC 7665, RFC Editor. http://www.rfc-editor.org/rfc/rfc7665.txt.
Han, B., Gopalakrishnan, V., Ji, L., and Lee, S. (2015). Network function virtualization: Challenges and opportunities for innovations. IEEE Communications Magazine, 53(2):90–97.
Kulkarni, S., Arumaithurai, M., Ramakrishnan, K. K., and Fu, X. (2017). Neo-NSH: Towards scalable and efficient dynamic service function chaining of elastic network functions. In 20th Conference on Innovations in Clouds, Internet and Networks (ICIN), pages 308–312.
Luizelli, M. C., Bays, L. R., Buriol, L. S., Barcellos, M. P., and Gaspary, L. P. (2015). Piecing together the NFV provisioning puzzle: Efficient placement and chaining of virtual network functions. In IFIP/IEEE International Symposium on Integrated Network Management (IM), pages 98–106.
Luizelli, M. C., Raz, D., Sa’ar, Y., and Yallouz, J. (2017). The actual cost of software switching for nfv chaining. In 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pages 335–343.
Marz, N. and Warren, J. (2013). Big Data: Principles and Best Practices of Scalable Realtime Data Systems. Manning Publications Co., Greenwich, CT, USA, 1st edition.
Mattos, D. M. F. and Duarte, O. C. M. B. (2016). Authflow: authentication and access control mechanism for software defined networking. Annals of Telecommunications, 71(11):607–615.
Medhat, A. M., Taleb, T., Elmangoush, A., Carella, G. A., Covaci, S., and Magedanz, T. (2017). Service function chaining in next generation networks: State of the art and research challenges. IEEE Communications Magazine, 55(2):216–223.
Panda, A., Han, S., Jang, K.,Walls, M., Ratnasamy, S., and Shenker, S. (2016). Netbricks: Taking the v out of NFV. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI’16), pages 203–216. USENIX Association.
Pattaranantakul, M., He, R., Meddahi, A., and Zhang, Z. (2016). SecMANO: Towards network functions virtualization (nfv) based security management and orchestration. In IEEE Trustcom/BigDataSE/ISPA, pages 598–605.
Quinn, P. and Elzur, U. (2017). Network service header. Internet-Draft draft-ietfsfc- nsh-12, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-sfc-nsh-12.txt.
Quinn, P. and Nadeau, T. (2015). Problem statement for service function chaining. RFC 7498, RFC Editor. http://www.rfc-editor.org/rfc/rfc7498.txt.
Reynaud, F., Aguessy, F. X., Bettan, O., Bouet, M., and Conan, V. (2016). Attacks against network functions virtualization and software-defined networking: State-of-the-art. In IEEE NetSoft Conference and Workshops (NetSoft), pages 471–476.
Rosa, R., Siqueira, M., Barea, E., Marcondes, C., and Rothenberg, C. (2014). Network function virtualization: Perspectivas, realidades e desafios. In Minicursos do XXX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos - SBRC 2014.
Zhang, Y., Beheshti, N., Beliveau, L., Lefebvre, G., Manghirmalani, R., Mishra, R., Patneyt, R., Shirazipour, M., Subrahmaniam, R., Truchan, C., and Tatipamula, M. (2013). Steering: A software-defined networking for inline service chaining. In 2013 21st IEEE International Conference on Network Protocols (ICNP), pages 1–10.
Publicado
06/11/2017
Como Citar
SANZ, Igor J.; ALVARENGA, Igor D.; ANDREONI, Martin; MAURICIO, Leopoldo A. F.; MATTOS, Diogo M. F.; RUBINSTEIN, Marcelo G.; DUARTE, Otto Carlos M. B..
Uma Avaliação de Desempenho de Segurança Definida por Software através de Cadeias de Funções de Rede. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 98-111.
DOI: https://doi.org/10.5753/sbseg.2017.19493.